CVE-2021-44564
moderate-risk
Published 2022-01-06
A security vulnerability originally reported in the SYNC2101 product, and applicable to specific sub-families of SYNC devices, allows an attacker to download the configuration file used in the device and apply a modified configuration file back to the device. The attack requires network access to the SYNC device and knowledge of its IP address. The attack exploits the unsecured communication channel used between the administration tool Easyconnect and the SYNC device (in the affected family of SYNC products).
Do I need to act?
-
0.48% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10
High
NETWORK
/ HIGH complexity
Affected Products (20)
Sync241-M1 Firmware
Sync241-M2 Firmware
Sync241-M4 Firmware
Sync261-M1 Firmware
Sync2000-M1 Firmware
Sync2000-M2 Firmware
Sync2000-M4 Firmware
Sync2101-M1 Firmware
Sync2101-M2 Firmware
Sync2101-M6 Firmware
Sync2101-M7 Firmware
Sync2101-M8 Firmware
Sync2111-M2 Firmware
Sync2111-M3 Firmware
Sync3000-M1 Firmware
Sync3000-M2 Firmware
Sync3000-M3 Firmware
Sync3000-M4 Firmware
Sync3000-M12 Firmware
Sync221-M1 Firmware
Affected Vendors
References (4)
Vendor Advisory
https://kalkitech.com/wp-content/uploads/CYB_33631_Advisory.pdf
Vendor Advisory
https://www.kalkitech.com/cybersecurity/
Vendor Advisory
https://kalkitech.com/wp-content/uploads/CYB_33631_Advisory.pdf
Vendor Advisory
https://www.kalkitech.com/cybersecurity/
46
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
2/34 · Minimal
Exposure
20/34 · Moderate